A survey shows that email remains a major source of corporate data leakage, as users continue to break the rules

InfoWorld|Apr 25, 2011

Despite years of regulations, fines, corporate policies, and data leakage prevention tools, companies are still remarkably vulnerable when it comes to employees' inappropriate use of email.

In a recent VaporStream survey of professional email users, 1 in 10 admitted they had unintentionally leaked private and confidential business information via email. Worse, 73.7 percent in companies with more than 100 employees said that they or someone in their company had emailed information in violation of regulatory compliance; 28 percent of them said the violation was intentional. And 45.3 percent claimed an email they sent was then forwarded to someone they didn't intend to see it. One in five respondents said an email they had sent had come back to haunt them.

Mobile devices appear to have their own special hazards: 60 percent of those surveyed said they had at some time hit Reply All instead of Reply when responding to an email on their tablet or smartphone.

The dangers of printing out confidential emails should be obvious -- sensitive printouts get left in wastebaskets, hotel rooms, and airport terminals, not to mention network printer memory -- yet when asked how often respondents printed out their emails, 81.7 percent said "occasionally or often" and 50 percent said they had printed out emails with confidential information.

Not only are users careless, but many are also surprisingly ignorant: 46.5 percent of respondents didn't know whether their company monitored or archived email.

The company that conducted the survey, VaporStream, has a dog in this fight: a Web-based service that provides "recordless messaging." Messages sent through the service are stored only in the recipient system's video memory and disappear after they are read. The company separates the headers from the content and stores nothing. Messages aren't stored on either the sender's or recipient's systems.

Data loss prevention tools represent the conventional technology response to the problem, but false positives limit their use and they can be defeated by encrypted file attachments, not to mention users' penchant for sending messages through their personal email accounts at work. Jon Neiditz, an attorney specializing in information management, privacy, and security at Nelson, Mullins, Riley, and Scarborough, also points out that it's difficult or impossible for data loss prevention tools to monitor smartphones and other devices that send email and to keep up with all the new slang, jargon, and insider language and that goes into email messages.

"The illusion of privacy -- even among savvy senders -- the rapid replication of email throughout the recipient's systems, and the complete lack of control over one-click forwarding all keep email the undisputed champion generator of legal smoking guns," says Neiditz.